Hacking ebook androidsecurityinternals
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (7.45 MB, 434 trang )
A Deep Dive into Android Security
There are more than one billion Android
devices in use today, each one a potential
target. Unfortunately, many fundamental
Android security features have been little
more than a black box to all but the most
elite security professionals—until now.
About the online account management
framework and how Google accounts
integrate with Android
In Android Security Internals, top Android
security expert Nikolay Elenkov takes us
under the hood of the Android security sys
tem. Elenkov describes Android security archi
tecture from the bottom up, delving into the
implementation of major security-related
components and subsystems, like Binder IPC,
permissions, cryptographic providers, and
device administration.
You’ll learn:
About the implementation of verified boot,
disk encryption, lockscreen, and other
device security features
How Android’s bootloader and recovery OS
are used to perform full system updates,
and how to obtain root access
With its unprecedented level of depth and
detail, Android Security Internals is a musthave for any security-minded Android
developer.
About the Author
How Android permissions are declared,
used, and enforced
How Android manages application
packages and employs code signing to
verify their authenticity
How Android implements the Java Cryp
tography Architecture (JCA) and Java Secure
Socket Extension (JSSE) frameworks
About Android’s credential storage system
and APIs, which let applications store
cryptographic keys securely
Nikolay Elenkov has been working on
enterprise security–related projects for
more than 10 years. He became interested
in Android shortly after the initial public
release and has been developing Android
applications since version 1.5. His work
has led to the discovery and correction
of significant Android security flaws. He
writes about Android security on his highly
regarded blog, />
Android Security Internals
Covers Android 4.4
Android Security
Internals
An In-Depth Guide to
Android’s Security Architecture
Elenkov
T H E F I N E ST I N G E E K E N T E RTA I N M E N T ™
“I LIE FLAT.” This book uses a durable binding that won’t snap shut.
w w w.nostarch.com
$49.95 ($51.95 CDN)
SFI-00000
Shelve In: Computers/Security
Nikolay Elenkov
Foreword by Jon Sawyer
aNDROID sECURITY iNTERNALS
aNDROID
sECURITY
iNTERNALS
An In-Depth Guide to
Android’s Security
Architecture
b y Nik ol a y E le n ko v
San Francisco
Android Security Internals. Copyright © 2015 by Nikolay Elenkov.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
Printed in USA
First printing
18 17 16 15 14 1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-581-1
ISBN-13: 978-1-59327-581-5
SFI-00000
Publisher: William Pollock
Production Editor: Alison Law
Cover Illustration: Garry Booth
Interior Design: Octopod Studios
Developmental Editor: William Pollock
Technical Reviewer: Kenny Root
Copyeditor: Gillian McGarvey
Compositor: Susan Glinert Stevens
Proofreader: James Fraleigh
Indexer: BIM Proofreading & Indexing Services
For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 415.863.9900;
www.nostarch.com
Library of Congress Control Number: 2014952666
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners. Rather
than use a trademark symbol with every occurrence of a trademarked name, we are using the names only
in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The Android robot is reproduced or modified from work created and shared by Google and used according
to terms described in the Creative Commons 3.0 Attribution License.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution
has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any
liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or
indirectly by the information contained in it.
About the Author
Nikolay Elenkov has been working on enterprise security projects for
the past 10 years. He has developed security software on various platforms, ranging from smart cards and HSMs to Windows and Linux
servers. He became interested in Android shortly after the initial public
release and has been developing applications for it since version 1.5.
Nikolay’s interest in Android internals intensified after the release of
Android 4.0 (Ice Cream Sandwich), and for the past three years he’s
been documenting his findings and writing about Android security on
his blog, />
About the Technical Reviewer
Kenny Root has been a core contributor to the Android platform at
Google since 2009, where his focus has been primarily on security and
cryptography. He is the author of ConnectBot, the first SSH app for
Android, and is an avid open source contributor. When he’s not hack
ing on software, he’s spending time with his wife and two boys. He is an
alumnus of Stanford University, Columbia University, Chinese University
of Hong Kong, and Baker College, but he’s originally from Kansas City,
which has the best barbecue.
B rie f C ontent s
Foreword by Jon Sawyer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Chapter 1: Android’s Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2: Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 3: Package Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Chapter 4: User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter 5: Cryptographic Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter 6: Network Security and PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Chapter 7: Credential Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Chapter 8: Online Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 9: Enterprise Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter 10: Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 11: NFC and Secure Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 12: SELinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Chapter 13: System Updates and Root Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
C ontent s in D et a il
Foreword by Jon Sawyer
xvii
Acknowledgments
xix
Introduction
xxi
Who This Book Is For . . . . . . .
Prerequisites . . . . . . . . . . . . . .
Android Versions . . . . . . . . . .
How Is This Book Organized? .
Conventions . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xxii
xxiii
xxiii
xxiv
. xxv
1
Android’s Security Model
1
Android’s Architecture . . . . . . . . . . . . . . . .
Linux Kernel . . . . . . . . . . . . . . .
Native Userspace . . . . . . . . . . .
Dalvik VM . . . . . . . . . . . . . . . . .
Java Runtime Libraries . . . . . . . .
System Services . . . . . . . . . . . . .
Inter-Process Communication . . . .
Binder . . . . . . . . . . . . . . . . . . .
Android Framework Libraries . . .
Applications . . . . . . . . . . . . . . .
Android’s Security Model . . . . . . . . . . . . . .
Application Sandboxing . . . . . . .
Permissions . . . . . . . . . . . . . . . .
IPC . . . . . . . . . . . . . . . . . . . . . .
Code Signing and Platform Keys .
Multi-User Support . . . . . . . . . . .
SELinux . . . . . . . . . . . . . . . . . . .
System Updates . . . . . . . . . . . . .
Verified Boot . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
. 2
. 2
. 3
. 4
. 4
. 4
. 5
10
10
12
12
14
15
16
16
17
17
18
19
2
Permissions21
The Nature of Permissions . .
Requesting Permissions . . . .
Permission Management . . .
Permission Protection Levels .
Permission Assignment . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
21
23
23
24
26
Permission Enforcement . . . . . . . . . . . . . . . .
Kernel-Level Enforcement . . . . . . . .
Native Daemon-Level Enforcement .
Framework-Level Enforcement . . . .
System Permissions . . . . . . . . . . . . . . . . . . .
Signature Permissions . . . . . . . . . .
Development Permissions . . . . . . .
Shared User ID . . . . . . . . . . . . . . . . . . . . . .
Custom Permissions . . . . . . . . . . . . . . . . . . .
Public and Private Components . . . . . . . . . . .
Activity and Service Permissions . . . . . . . . . .
Broadcast Permissions . . . . . . . . . . . . . . . . .
Content Provider Permissions . . . . . . . . . . . .
Static Provider Permissions . . . . . .
Dynamic Provider Permissions . . . .
Pending Intents . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android Application Package Format . . . . . . . . . . . . . .
Code Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Java Code Signing . . . . . . . . . . . . . . . . . . . .
Android Code Signing . . . . . . . . . . . . . . . . .
APK Install Process . . . . . . . . . . . . . . . . . . . . . . . . . . .
Location of Application Packages and Data . .
Active Components . . . . . . . . . . . . . . . . . . .
Installing a Local Package . . . . . . . . . . . . . . .
Updating a Package . . . . . . . . . . . . . . . . . .
Installing Encrypted APKs . . . . . . . . . . . . . . .
Forward Locking . . . . . . . . . . . . . . . . . . . . .
Android 4.1 Forward Locking Implementation .
Encrypted Apps and Google Play . . . . . . . . .
Package Verification . . . . . . . . . . . . . . . . . . . . . . . . . .
Android Support for Package Verification . . . .
Google Play Implementation . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
Package Management
51
4
User Management
Multi-User Support Overview . . . . . .
Types of Users . . . . . . . . . . . . . . . .
The Primary User (Owner) .
Secondary Users . . . . . . .
Restricted Profiles . . . . . . .
Guest User . . . . . . . . . . .
x Contents in Detail
30
30
31
33
37
39
39
40
42
43
44
45
46
46
47
49
50
51
53
53
59
61
62
63
66
72
76
79
80
82
83
84
85
86
87
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
87
90
90
91
92
94
User Management . . . . . . . . . . . . . . . . . . . . .
Command-Line Tools . . . . . . . . . . .
User States and Related Broadcasts .
User Metadata . . . . . . . . . . . . . . . . . . . . . . .
The User List File . . . . . . . . . . . . . .
User Metadata Files . . . . . . . . . . . .
User System Directory . . . . . . . . . . .
Per-User Application Management . . . . . . . . .
Application Data Directories . . . . . .
Application Sharing . . . . . . . . . . . .
External Storage . . . . . . . . . . . . . . . . . . . . . .
External Storage Implementations . . .
Multi-User External Storage . . . . . . .
External Storage Permissions . . . . . .
Other Multi-User Features . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
Cryptographic Providers
JCA Provider Architecture . . . . . . . . . . . . . . . . . .
Cryptographic Service Providers . . . . .
JCA Engine Classes . . . . . . . . . . . . . . . . . . . . . .
Obtaining an Engine Class Instance . . .
Algorithm Names . . . . . . . . . . . . . . . .
SecureRandom . . . . . . . . . . . . . . . . .
MessageDigest . . . . . . . . . . . . . . . . .
Signature . . . . . . . . . . . . . . . . . . . . .
Cipher . . . . . . . . . . . . . . . . . . . . . . .
Mac . . . . . . . . . . . . . . . . . . . . . . . . .
Key . . . . . . . . . . . . . . . . . . . . . . . . .
SecretKey and PBEKey . . . . . . . . . . . .
PublicKey, PrivateKey, and KeyPair . . .
KeySpec . . . . . . . . . . . . . . . . . . . . . .
KeyFactory . . . . . . . . . . . . . . . . . . . .
SecretKeyFactory . . . . . . . . . . . . . . . .
KeyPairGenerator . . . . . . . . . . . . . . .
KeyGenerator . . . . . . . . . . . . . . . . . .
KeyAgreement . . . . . . . . . . . . . . . . . .
KeyStore . . . . . . . . . . . . . . . . . . . . . .
CertificateFactory and CertPath . . . . . .
CertPathValidator and CertPathBuilder .
Android JCA Providers . . . . . . . . . . . . . . . . . . . .
Harmony’s Crypto Provider . . . . . . . . .
Android’s Bouncy Castle Provider . . . .
AndroidOpenSSL Provider . . . . . . . . .
OpenSSL . . . . . . . . . . . . . . . . . . . . .
Using a Custom Provider . . . . . . . . . . . . . . . . . .
Spongy Castle . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 95
. 95
. 95
. 96
. 96
. 97
. 99
. 99
100
101
104
104
105
111
112
113
115
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
116
116
119
119
120
120
121
122
123
127
128
128
129
129
129
130
131
131
132
133
135
136
137
137
137
140
142
142
143
144
Contents in Detail xi
6
Network Security and PKI
PKI and SSL Overview . . . . . . . . . . . . . . . . . . . . .
Public Key Certificates . . . . . . . . . . . . .
Direct Trust and Private CAs . . . . . . . . .
Public Key Infrastructure . . . . . . . . . . . .
Certificate Revocation . . . . . . . . . . . . . .
JSSE Introduction . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Sockets . . . . . . . . . . . . . . . . . .
Peer Authentication . . . . . . . . . . . . . . .
Hostname Verification . . . . . . . . . . . . .
Android JSSE Implementation . . . . . . . . . . . . . . . .
Certificate Management and Validation .
Certificate Blacklisting . . . . . . . . . . . . .
Reexamining the PKI Trust Model . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
145
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7
Credential Storage
171
VPN and Wi-Fi EAP Credentials . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Keys and Certificates . . . . . . . . . . . . . . .
The System Credential Store . . . . . . . . . . . . . . . . . . . .
Credential Storage Implementation . . . . . . . . . . . . . . . . . . . . . . .
The keystore Service . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Blob Versions and Types . . . . . . . . . . . . . . . . . . . .
Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . .
keymaster Module and keystore Service Implementation .
Nexus 4 Hardware-Backed Implementation . . . . . . . . . .
Framework Integration . . . . . . . . . . . . . . . . . . . . . . . .
Public APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The KeyChain API . . . . . . . . . . . . . . . . . . . . . . . . . . .
KeyChain API Implementation . . . . . . . . . . . . . . . . . . .
Controlling Access to the Keystore . . . . . . . . . . . . . . . .
Android Keystore Provider . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
8
Online Account Management
Android Account Management Overview . . . . . . . . . . . . . . . .
Account Management Implementation . . . . . . . . . . . . . . . . . . .
AccountManagerService and AccountManager . . . . .
Authenticator Modules . . . . . . . . . . . . . . . . . . . . . .
The Authenticator Module Cache . . . . . . . . . . . . . . .
AccountManagerService Operations and Permissions .
The Accounts Database . . . . . . . . . . . . . . . . . . . . .
Multi-User Support . . . . . . . . . . . . . . . . . . . . . . . . .
Adding an Authenticator Module . . . . . . . . . . . . . . .
xii Contents in Detail
146
146
148
148
150
151
152
152
154
155
156
162
166
170
172
172
173
174
174
176
176
176
178
180
181
181
185
186
188
189
191
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
192
192
193
194
194
195
198
201
203
Google Accounts Support . . . . . . . . . . . . . . . . . . . . . . . . .
The Google Login Service . . . . . . . . . . . . . . . . . .
Google Services Authentication and Authorization .
Google Play Services . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
Enterprise Security
215
Device Administration . . . . . . . . . . . . . . . . . . . . . . . .
Implementation . . . . . . . . . . . . . . . . . . . . .
Adding a Device Administrator . . . . . . . . . .
Enterprise Account Integration . . . . . . . . . . .
VPN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
L2TP/IPSec . . . . . . . . . . . . . . . . . . . . . . . .
IPSec Xauth . . . . . . . . . . . . . . . . . . . . . . . .
SSL-Based VPNs . . . . . . . . . . . . . . . . . . . . .
Legacy VPN . . . . . . . . . . . . . . . . . . . . . . .
Application-Based VPNs . . . . . . . . . . . . . . .
Multi-User Support . . . . . . . . . . . . . . . . . . .
Wi-Fi EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EAP Authentication Methods . . . . . . . . . . . .
Android Wi-Fi Architecture . . . . . . . . . . . . .
EAP Credentials Management . . . . . . . . . . .
Adding an EAP Network with WifiManager .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
Device Security
Controlling OS Boot-Up and Installation . . . . . . . . .
Bootloader . . . . . . . . . . . . . . . . . . . . .
Recovery . . . . . . . . . . . . . . . . . . . . . . .
Verified Boot . . . . . . . . . . . . . . . . . . . . . . . . . . .
dm-verity Overview . . . . . . . . . . . . . . .
Android Implementation . . . . . . . . . . . .
Enabling Verified Boot . . . . . . . . . . . . .
Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . .
Cipher Mode . . . . . . . . . . . . . . . . . . . .
Key Derivation . . . . . . . . . . . . . . . . . . .
Disk Encryption Password . . . . . . . . . . .
Changing the Disk Encryption Password .
Enabling Encryption . . . . . . . . . . . . . . .
Booting an Encrypted Device . . . . . . . . .
Screen Security . . . . . . . . . . . . . . . . . . . . . . . . . .
Lockscreen Implementation . . . . . . . . . .
Keyguard Unlock Methods . . . . . . . . . .
Brute-Force Attack Protection . . . . . . . . .
206
206
209
211
213
216
217
223
226
229
229
229
230
230
231
236
239
242
243
244
245
248
250
251
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
252
252
253
254
254
255
256
258
259
260
261
262
263
265
268
268
269
276
Contents in Detail xiii
Secure USB Debugging . . . . . . . . . . . . . . . .
ADB Overview . . . . . . . . . . . . . .
The Need for Secure ADB . . . . . . .
Securing ADB . . . . . . . . . . . . . . .
Secure ADB Implementation . . . . .
ADB Authentication Keys . . . . . . .
Verifying the Host Key Fingerprint .
Android Backup . . . . . . . . . . . . . . . . . . . . .
Android Backup Overview . . . . . .
Backup File Format . . . . . . . . . . . .
Backup Encryption . . . . . . . . . . . .
Controlling Backup Scope . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
NFC and Secure Elements
NFC Overview . . . . . . . . . . . . . . . . . . . . . .
Android NFC Support . . . . . . . . . . . . . . . . .
Reader/Writer Mode . . . . . . . . . .
Peer-to-Peer Mode . . . . . . . . . . . .
Card Emulation Mode . . . . . . . . .
Secure Elements . . . . . . . . . . . . . . . . . . . . .
SE Form Factors in Mobile Devices .
Accessing the Embedded SE . . . . .
Android SE Execution Environment .
UICC as a Secure Element . . . . . .
Software Card Emulation . . . . . . . . . . . . . . .
Android 4.4 HCE Architecture . . . .
APDU Routing . . . . . . . . . . . . . . .
Writing an HCE Service . . . . . . . .
Security of HCE Applications . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . .
277
277
279
280
281
282
282
283
283
284
286
287
288
289
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
289
290
290
294
295
295
296
299
302
305
310
310
311
315
317
318
12
SELinux319
SELinux Introduction . . . . . . . . . . . . . . . . . . . . . . . . .
SELinux Architecture . . . . . . . . . . . . . . . . . .
Mandatory Access Control . . . . . . . . . . . . .
SELinux Modes . . . . . . . . . . . . . . . . . . . . .
Security Contexts . . . . . . . . . . . . . . . . . . . .
Security Context Assignment and Persistence .
Security Policy . . . . . . . . . . . . . . . . . . . . . .
Policy Statements . . . . . . . . . . . . . . . . . . . .
Type Transition Rules . . . . . . . . . . . . . . . . .
Domain Transition Rules . . . . . . . . . . . . . . .
Access Vector Rules . . . . . . . . . . . . . . . . . .
Android Implementation . . . . . . . . . . . . . . . . . . . . . . .
Kernel Changes . . . . . . . . . . . . . . . . . . . . .
Userspace Changes . . . . . . . . . . . . . . . . . .
Device Policy Files . . . . . . . . . . . . . . . . . . .
Policy Event Logging . . . . . . . . . . . . . . . . .
xiv Contents in Detail
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
320
320
321
322
322
324
324
324
327
328
329
330
331
332
339
340
Android 4.4 SELinux Policy . . . .
Policy Overview . . . . .
Enforcing Domains . . .
Unconfined Domains .
App Domains . . . . . .
Summary . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
System Updates and Root Access
Bootloader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unlocking the Bootloader . . . . . . . . . . . . . . . .
Fastboot Mode . . . . . . . . . . . . . . . . . . . . . . .
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stock Recovery . . . . . . . . . . . . . . . . . . . . . . .
Custom Recoveries . . . . . . . . . . . . . . . . . . . . .
Root Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Root Access on Engineering Builds . . . . . . . . . .
Root Access on Production Builds . . . . . . . . . . . . . . . . . .
Rooting by Changing the boot or system Image .
Rooting by Flashing an OTA Package . . . . . . .
Rooting via Exploits . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
340
341
342
344
345
347
349
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
350
350
352
354
354
363
364
365
368
369
370
375
376
Index377
Contents in Detail xv
Fore w ord
I first became aware of the quality of Nikolay’s work
in Android security with the release of Android 4.0,
Ice Cream Sandwich. I needed a better explanation of
the new Android backup format; I was struggling to
exploit a vulnerability I had found, because I didn’t
have a full grasp of the new feature and format. His clear, in-depth explanation helped me understand the issue, exploit the vulnerability, and get a
patch into production devices quickly. I have since been a frequent visitor to
his blog, often referring to it when I need a refresher.
While I was honored to be asked to write this foreword, I honestly didn’t
believe I’d learn much from the book because I’ve been working on Android
security for many years. This belief could not have been more wrong. As
I read and digested new information regarding subjects I thought I knew
thoroughly, my mind whirled with thoughts of what I had missed and what
I could have done better. Why wasn’t a reference like this available when I
first engrossed myself in Android?
This book exposes the reader to a wide range of security topics, from
Android permissions and sandboxing to the Android SELinux implementation, SEAndroid. It provides excellent explanations of minute details and
rarely seen features such as dm-verify. Like me, you’ll walk away from this
book with a better understanding of Android security features.
Android Security Internals has earned a permanent spot on my office
bookshelf.
Jon “ jcase” Sawyer
CTO, Applied Cybersecurity LLC
Port Angeles, WA
xviii Foreword
Ac k no w ledg m ent s
I would like to thank everyone at No Starch Press who worked on this book.
Special thanks to Bill Pollock for making my ramblings readable and to
Alison Law for her patience in turning them into an actual book.
A big thanks to Kenny Root for reviewing all chapters and sharing the
backstories behind some of Android’s security features.
Thanks to Jorrit “Chainfire” Jongma for maintaining SuperSU, which
has been an invaluable tool for poking at Android’s internals, and for
reviewing my coverage of it in Chapter 13.
Thanks to Jon “ jcase” Sawyer for continuing to challenge our assumptions about Android security and for contributing a foreword to my book.
I ntroduction
In a relatively short period of time, Android has
become the world’s most popular mobile platform.
Although originally designed for smartphones, it
now powers tablets, TVs, and wearable devices, and
will soon even be found in cars. Android is being
developed at a breathtaking pace, with an average of two major releases
per year. Each new release brings a better UI, performance improvements,
and a host of new user-facing features which are typically blogged about
and dissected in excruciating detail by Android enthusiasts.
One aspect of the Android platform that has seen major improvements
over the last few years, but which has received little public attention, is security. Over the years, Android has become more resistant to common exploit
techniques (such as buffer overflows), its application isolation (sandboxing)
has been reinforced, and its attack surface has been considerably reduced
by aggressively decreasing the number of system processes that run as root.
In addition to these exploit mitigations, recent versions of Android have
introduced major new security features such as restricted user support,
full-disk encryption, hardware-backed credential storage, and support for
centralized device management and provisioning. Even more enterpriseoriented features and security improvements such as managed profile
support, improved full-disk encryption, and support for biometric authentication have been announced for the next Android release (referred to as
Android L as I write this).
As with any new platform feature, discussing cutting-edge security
improvements is exciting, but it’s arguably more important to understand
Android’s security architecture from the bottom up because each new security feature builds upon and integrates with the platform’s core security
model. Android’s sandboxing model (in which each application runs as a
separate Linux user and has a dedicated data directory) and permission system (which requires each application to explicitly declare the platform features it requires) are fairly well understood and documented. However, the
internals of other fundamental platform features that have an impact on
device security, such as package management and code signing, are largely
treated as a black box beyond the security research community.
One of the reasons for Android’s popularity is the relative ease with
which a device can be “flashed” with a custom build of Android, “rooted” by
applying a third-party update package, or otherwise customized. Android
enthusiast forums and blogs feature many practical “How to” guides that
take users through the steps necessary to unlock a device and apply various
customization packages, but they offer very little structured information
about how such system updates operate under the hood and what risks they
carry.
This books aims to fill these gaps by providing an exploration of how
Android works by describing its security architecture from the bottom up
and delving deep into the implementation of major Android subsystems and
components that relate to device and data security. The coverage includes
broad topics that affect all applications, such as package and user management, permissions and device policy, as well as more specific ones such as
cryptographic providers, credential storage, and support for secure elements.
It’s not uncommon for entire Android subsystems to be replaced or
rewritten between releases, but security-related development is conservative by nature, and while the described behavior might be changed or augmented across releases, Android’s core security architecture should remain
fairly stable in future releases.
Who This Book Is For
This book should be useful to anyone interested in learning more about
Android’s security architecture. Both security researchers looking to evaluate the security level of Android as a whole or of a specific subsystem and
platform developers working on customizing and extending Android will
find the high-level description of each security feature and the provided
implementation details to be a useful starting point for understanding
the underlying platform source code. Application developers can gain a
xxii Introduction
deeper understanding of how the platform works, which will enable them
to write more secure applications and take better advantage of the securityrelated APIs that the platform provides. While some parts of the book are
accessible to a non-technical audience, the bulk of the discussion is closely
tied to Android source code or system files, so familiarity with the core concepts of software development in a Unix environment is useful.
Prerequisites
The book assumes basic familiarity with Unix-style operating systems, preferably Linux, and does not explain common concepts such as processes,
user groups, file permissions, and so on. Linux-specific or recently added
OS features (such as capability and mount namespaces) are generally introduced briefly before discussing Android subsystems that use them. Most
of the presented platform code comes from core Android daemons (usually implemented in C or C++) and system services (usually implemented
in Java), so basic familiarity with at least one of these languages is also
required. Some code examples feature sequences of Linux system calls, so
familiarity with Linux system programming can be helpful in understanding the code, but is not absolutely required. Finally, while the basic structure and core components (such as activities and services) of Android apps
are briefly described in the initial chapters, basic understanding of Android
development is assumed.
Android Versions
The description of Android’s architecture and implementation in this book
(except for several proprietary Google features) is based on source code
publicly released as part of the Android Open Source Project (AOSP). Most
of the discussion and code excerpts reference Android 4.4, which is the latest publicly available version released with source code at the time of this
writing. The master branch of AOSP is also referenced a few times, because
commits to master are generally a good indicator of the direction future
Android releases will take. However, not all changes to the master branch
are incorporated in public releases as is, so it’s quite possible that future
releases will change and even remove some of the presented functionality.
A developer preview version of the next Android release (Android L,
mentioned earlier) was announced shortly after the draft of this book was
completed. However, as of this writing, the full source code of Android L is
not available and its exact public release date is unknown. While the preview release does include some new security features, such as improvements
to device encryption, managed profiles, and device management, none of
these features are final and so are subject to change. That is why this book
does not discuss any of these new features. Although we could introduce
some of Android L’s security improvements based on their observed behavior, without the underlying source code, any discussion about their implementation would be incomplete and speculative.
Introduction xxiii
How Is This Book Organized?
This book consists of 13 chapters that are designed to be read in sequence.
Each chapter discusses a different aspect or feature of Android security,
and subsequent chapters build on the concepts introduced by their predecessors. Even if you’re already familiar with Android’s architecture and
security model and are looking for details about a specific topic, you should
at least skim Chapters 1 through 3 because the topics they cover form the
foundation for the rest of the book.
•
•
•
•
•
•
•
•
•
•
•
•
xxiv Introduction
Chapter 1: Android’s Security Model gives a high-level overview of
Android’s architecture and security model.
Chapter 2: Permissions describes how Android permissions are
declared, used, and enforced by the system.
Chapter 3: Package Management discusses code signing and details
how Android’s application installation and management process works.
Chapter 4: User Management explores Android’s multi-user support
and describes how data isolation is implemented on multi-user devices.
Chapter 5: Cryptographic Providers gives an overview of the Java
Cryptography Architecture ( JCA) framework and describes Android’s
JCA cryptographic providers.
Chapter 6: Network Security and PKI introduces the architecture of
the Java Secure Socket Extension ( JSSE) framework and delves into its
Android implementation.
Chapter 7: Credential Storage explores Android’s credential store and
introduces the APIs it provides to applications that need to store cryptographic keys securely.
Chapter 8: Online Account Management discusses Android’s online
account management framework and shows how support for Google
accounts is integrated into Android.
Chapter 9: Enterprise Security presents Android’s device management
framework, details how VPN support is implemented, and delves into
Android’s support for the Extensible Authentication Protocol (EAP).
Chapter 10: Device Security introduces verified boot, disk encryption,
and Android’s lockscreen implementation, and shows how secure USB
debugging and encrypted device backups are implemented.
Chapter 11: NFC and Secure Elements gives an overview of Android’s
NFC stack, delves into secure element (SE) integration and APIs, and
introduces host-based card emulation (HCE).
Chapter 12: SELinux starts with a brief introduction to SELinux’s architecture and policy language, details the changes made to SELinux in
order to integrate it in Android, and gives an overview of Android’s base
SELinux policy.
